Advice for charities taking credit card payments
Credit cards are a faster, simpler payment option for charities to facilitate donations. Using credit cards, however, does require additional security measures to be put in place.
It is mandatory for charities which process credit cards to comply with the Payment Card Industry Data Security Standard (PCI DSS). The affect on reputation and possible large fines from a credit card breach would have a significant impact on all the hard won support the charity has achieved.
Charites use various options to take credit card payments including:
- Submitting forms with credit card details on (physical/paper based)
- By telephone (mail order, telephone order/card holder not present)
- Through retail outlets (face to face)
- Via website (Ecommerce)
Charities will sometimes ask for donations to be submitted on paper forms and then sent, or handed to them. Cardholder data would include the full sixteen-digit card number (PAN), the expiry date, and the last three digits of the security number from the back of the card (CVV)
These should not be asked to be transmitted electronically in an unencrypted form, eg simply emailed. If they are posted, or delivered, there needs to be controls in place to keep the details secure. In summary these would include:
- Controlling who receives the details and ensuring this is an authorised person
- Immediately processed credit card details or very soon after collection
- Once processed the credit card data, as a minimum, needs to be masked and ideally destroyed. The first six and last four digits are the maximum allowed to be kept visible, the CVV also needs to be masked.
- Ideally, unless there is a very good reason to maintain credit card data, the best solution is to process it and shred it immediately.
Part of the charity’s credit card payment process may be to take details over the phone. There is also good practice that should be implemented around this process.
As CVV should never be stored post transaction and with only encrypted or masked PAN allowed . Writing this down to process later is not advised and me more difficult to secure. Processing the payment immediately whilst they are given over the telephone ensures that this does not happen. Beware of telephone recording which will also capture these details. There should be a process in place to ensure that card details are not captured in this way. Stopping the recording whilst the card details are given can prevent this happening.
Charity retail outlets will be using a point of sale device normally so that the card details are captured when the card is inserted, and a PIN is required. The most important advice here is to keep these secure. Access by unauthorised personnel, or tampering with the device could be the source of a card data breach. Make sure that staff are trained on how to spot anything unusual with the device and that it is secured.
Charities using Ecommerce sites providing the opportunity to donate via credit card on a website is also a popular way to receive donations. There are numerous controls that need to be in place to ensure this is secure. Relying on the compliance of your payment provider (for example, assuming that because they PCI DSS compliant, you automatically will be) has been the route of many credit card breaches recently. Consider how your website connects to the payment provider and ensure you have your website regularly checked for weaknesses through regular Penetration testing and vulnerability scanning.
Merchants that process, store or transmit credit cards have to comply with the mandatory controls of the Payment Card Industry Data Security Standard (PCI DSS). These are very prescriptive and sometimes understanding the intent of the questions can be confusing. Engaging with a PCI QSA (Qualified Security Assessor) will make sure that you receive expert advice, and help prevent your charity being the victim of a credit card breach. An additional benefit of following the PCI DSS compliance standard is that it helps charities put the necessary technical and organisational controls in place to help meet their GDPR compliance.
The last thing charities want to do is pay huge fines out of the valuable contributions that have been received, and to lose any of the goodwill of their supporters.